Malicious email attacks that tap ransomware and banking Trojans soared in the third quarter of 2017, while social engineering and targeting techniques grew more sophisticated, according to security firm Proofpoint's Quarterly Threat Report, published Thursday.

Malicious email volume increased 85% from Q2, the report found. This was largely driven by an explosion of email with malicious URLs linking to hosted malware—the volume of which rose 600% from Q2, and more than 2,200% from 2016. This represents the highest proportion of malicious URL messages compared to attachment-based email attacks since 2014.

Ransomware appeared in some 64% of all malicious email, the report found. Locky remained the top payload in terms of ransomware and across all malware families, though new ransomware variants appeared each day. Strains known as Philadelphia and GlobeImposter also grew from small, regionally-focused variants into global threats, thanks to a few high-volume campaigns by a single attacker, according to the report.

Meanwhile, banking Trojans accounted for 24% of all malicious emails. The Trick accounted for 70% of banking Trojan payloads, surpassing Dridex for the top spot.

Email fraud was also on the rise in Q3, up 29% over the previous quarter. Companies also saw increased attack frequency, with 12% more email fraud attempts per targeted organization than Q2.

While exploit kits declined in 2016, criminals that are still using them have now layered social engineering tools into these campaigns, Proofpoint found. This suggests that hackers are looking beyond the exploits alone, as they become harder to find and obtain, the report noted.

Fraudulent support accounts also doubled from Q3 2016, as threat actors continue to tap social engineering to lure in victims. The number of fake customer support accounts used for "angler phishing" grew 5% over Q2, while the volume of phishing links on branded social media channels rose 10%.

The rise of suspicious, look-alike domain registrations was also notable in Q3, the report found. These suspicious domains are often used for typosquatting and spoofing, and usually arise tied to a major event related to the brand, such as a new product launch. Defensive registration of brand-owned domains fell 20% from the year before, while suspicious domain registrations grew 20% in the same period.

Defensive domain registration is an easy, cost-effective way to prevent attackers from creating look-alike domains for email fraud and credential phishing, the report noted. IT should work with business leaders to create a list of potential look-alike domains to register, and include conference and marketing campaign website as well.